The SECURE CONTEXTS spec, on the other hand, explicitly includes localhost in its definition of "potentially trustworthy", which is defined as a superset of "a priori authenticated" so it's not a mere oversight that these definitions differ. localhost loaded over plain HTTP would have an HTTPS state of 'none'. If you made the request anyway the response must have its HTTPS state set to 'modern'. This is defined narrowly as having the schemes https or wss. The MIXED spec says requests that are not "a priori authenticated" should be blocked. Has WASWG formally agreed that it makes sense that a localhost URL is blockable mixed content but is considered a secure context if loaded as its own document? Or is this a "bug" in the specs? ![]() We can't WONTFIX it until we answer the following questions:
0 Comments
Leave a Reply. |